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METHOD FOR DISTRIBUTED COMPUTATION 
OF RSA INVERSES IN ASYNCHRONOUS NETWORKS 



TECHNICAL FIELD 

The present invention is related to a method and system for distributed computation of an RSA 
5 inverse value in an asynchronous network among participating network devices. 

DESCRIPTION OF PRIOR ART 

RSA is the most widely used public-key cryptographic system today and uses an algorithm 
developed in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman. Methods for sharing an 
RSA key among a group of parties in a distributed system, and for using the key in a fault-tolerant 
10 way have therefore received considerable attention. They are the subject of threshold 
cryptography. 

For example, it is well-known how to distribute an RSA signature scheme in synchronous 
networks among n parties such that a majority of them can securely issue signatures together, 
despite the fact that up to t may be faulty and misbehave in arbitrary, malicious ways. Given an 
1 5 RSA public key (N, e\ where N is the product of two large primes, such schemes work by sharing 
the RSA "decryption exponent" d = e '^ mod q>{N) among the parties, where ^(0 is the Euler 
function. To sign m, the parties jointly compute a such that (mod N). The values N, e, and 

d are chosen when the signature scheme is set up and remain unchanged afterwards. 

Several RSA-based cryptosystems have been proposed, where e is given dynamically together 
20 with a value jc, and the problem is to compute y such that (mod N), This is also referred to 
as the RSA inversion problem. Catalano, Gennaro, and Halevi present in "Computing inverses 
over a shared secret moduls," in Advances in Cryptology: EUROCRYPT 2000 (B. Preneel, ed.), 

CH920020056US1 1 



vol. 1087 of Lecture Notes in Computer Science, pp. 190-206, Springer, 2000, a protocol that 
solves the problem in the threshold setting for synchronous networks. This protocol computes d 
as the modular inverse of e with the shared modulus ^^(AO, from which j; = jc^ mod iV^is obtained. 

Most threshold cryptographic protocols assume a synchronous network with a broadcast channel 
5 connecting all parties. Although this assumption is justified in principle by the existence of 
suitable clock synchronization and Byzantine agreement protocols that provide broadcast, the 
approach leads to rather expensive solutions in practice, for example, when deployed in wide-area 
distributed systems with only loosely synchronized clocks. These systems are also vuhierable to 
timing attacks. 

10 Abnost all known threshold RSA schemes require a synchronous network with broadcast; the 
only exception is a non-interactive signature scheme by V. Shoup, "Practical threshold 

signatures," in Advances in Cryptology: EUROCRYPT 2000 (B. Preneel, ed.), vol. 1087 of 
Lecture Notes in Computer Science, pp. 207-220, Springer, 2000, which however makes crucial 
use of the random oracle model. 

15 From the above it follows that there is still a need in the art for an improved computing of an 
RSA inverse in asynchronous distributed systems, consisting of n communicating parties linked 
only by point-to-point channels, where local clocks are not synchronized and no a priori bound on 
message delay exists. A practical and efficient asynchronous distributed RSA inversion scheme is 
therefore desired. 

20 
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SUMMARY OF THE INVENTION 



Disclosed is an efficient asynchronous scheme which allows to compute an RSA inverse y with 
respect to a public RSA modulus N whose factorization is secret and shared among a group of 
parties, herein also referred to as participating network devices. Given two input values x and e, 
5 the scheme computes y such that y^ =x (mod N). The disclosed scheme is attractive because it 
does not rely on Byzantine agreement; it leads to efficient asynchronous protocols for threshold 
signatures and for Byzantine agreement based on the strong RSA assumption, without the use of 
random oracles. The random oracle model allows to design practical cryptographic systems, but 
only yields heuristic evidence for their security. Using the scheme, one can obtain asynchronous 
10 threshold implementations of the RSA signature schemes which are based on the strong RSA 
assumption. These represent the first implementations of threshold signatures in asynchronous 
networks without random oracles. 

The disclosed scheme for asynchronous distributed RSA inversion is quite practical, achieves 
resilience n > 4r, and uses O (n^) messages and O (n^ K}) communication, where AT is a security 
15 parameter. Moreover, it is deterministic and does not rely on a randomized Byzantine agreement 
primitive, which would not only be more expensive but also preclude one of its applications: to 
implement randomized asynchronous Byzantine agreement using cryptography. 

The scheme employs one distributed multiplication step like the synchronous RSA inversion 
protocol of Catalano et al.. However, contrary to the generic approach of tuming synchronous 
20 protocols with broadcast into asynchronous ones, the disclosed scheme does not need Byzantine 
agreement because RSA inversion is self-verifiable and the result can be checked by every 
participant, i.e. participating network device, locally. 

In accordance with the present invention, there is provided a method for distributed computation 
of an RSA inverse value in an asynchronous network fi-om at least two input values jc, e among 
25 «-l participating network devices A, B, C comprising t < n/4 faulty devices and a non-faulty 
leader device D, the participating network devices A, B, C, D holding share values (pA^(pB, (pc^ (Po 
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of the Euler function ^(A^ of an RS A modulus N, each participating network device, with P = A, 

B, C, D performing the steps of: 

(I) choosing a first random value q and a second random value r; 

(II) sharing over integers Z the first random value q, the second random value r, and the zero 
5 value 0; 

(III) the leader device D performing additionally the steps (i, ii) of: 

(i) receiving a first, second, and third sub-share value r,, 0, fi-om at least t + 1 participating 
network devices A, B, C, D; 

(ii) broadcasting the identities S of said participating network devices A, B, C; 
10 (IV) receiving the identities S and corresponding sub-share values qr„ r,, 0,; 

(V) deriving a sum-share value F fi:om the share value qfp, the at least one input value e, and the 
corresponding sub-share values r,, 0, defined by the identities «S, 

(VI) broadcasting the sum-share value F; 

(VII) receiving 2t + 1 sum-share values F/; 

15 (VIII) deriving a polynomial /interpolating the sum-share values F/ and an exponent share value 

dp dependent on the polynomial/ and an inverse-share value yp dependent on the exponent share 

value dp and the RS A modulus N; 

(DC) broadcasting the inverse-share value 

(X) receiving ^ -i- 1 inverse-share value y,; and 
20 (XI) obtaining the RS A inverse value y from the received inverse-share value yi. 

Further, at least t + 1 participating network devices A, B, C, D can act as a leader device while 
performing n times the above mentioned steps. Among the n participating network devices A, B, 

C, D there are ? < n/4 faulty devices assumed. By doing so no correct leader is necessary. 

Each participating network device A, B, C, D can perform the following steps. In the event of 
25 obtaining or receiving one RSA inverse value y, the validity of the obtained RSA inverse value y 
xmder use of the at least two input values x, e can be determined, and in the event of positive 
determination, the RSA inverse value y is broadcast and further calculations are stopped. This 
allows an efficient execution of the method while a termination can be guaranteed. 
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The sharing over integers Z can use a threshold signature for determining the consistency of 
subsequently received sub-share values qi, n, 0, allows a faster teraiination of the scheme. 

The sharing over integers Z can use a vector of digital signatures for determining the consistency 
of subsequently received sub-share values ^„ 0/ which also allows a faster termination of the 
scheme. 

The Extended Euclidean Algorithm can be applied for deriving the exponent share value dp, 
which from the practical point of view is efficient. 

The RS A inverse value y can be obtained from the received inverse-share value yt by using the 
Lagrange Interpolation Algorithm, which is efficient. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

Preferred embodiments of the invention are described in detail below, by way of example only, 
with reference to the following schematic drawings. 

FIG. 1 shows a typical asynchronous network with multiple participating network devices 

and a distributor. 

FIG, 2 shows a flow diagram for distributed computation of an RS A inverse value j in an 

asynchronous network. 

FIG. 3 shows a flow diagram with steps which each participating network device can 

perform when t + 1 participating network devices act as a leader device. 

The drawings are provided for illustrative purposes only. 
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DETAILED DESCRIPTION OF THE INVENTION 



Fig. 1 shows an example of a common computer system 8, where a distributed computation of an 
RSA inverse value;; can be performed. It consists of n = 4 participating network devices A, B, C, 
and D which are connected via communication lines 5 to an asynchronous network. The system 
5 comprises here a dealer device D, which is designated by the "X". In a further embodiment, / + 1 
participating network devices may act as a leader device, as described in more detail below. Each 
participating network device A, B, C, D may be any type of computer device known in the art 
from a computer on a chip or a wearable computer to a large computer system. The 
communication lines can be any communication means commonly known to transmit data or 

10 messages from one participating network device A, B, C, D to another. For instance, the 
communication lines may be either single, bi-directional communication lines 5 between each 
pair of participating network devices A, B, C, D or one unidirectional line in each direction 
between each pair of participating network devices A, B, C, D. Such a computer system 8 and 
communication lines 5 are well known in the art. In the case where one participating network 

15 device A, B, C sends information to itself, an equivalent result could be achieved by merely 
moving data within the participating network device and not sending it over a commxmication 
line to itself The common computer system 8 is shown to facilitate the description of the 
following distributed RSA inverse computation protocol. The same reference signs are used to 
denote the same or like parts. A method for distributed computation of an RSA inverse value y in 

20 an asynchronous network is described in the following together with some basic and ftirther 
issues. 

Fig. 2 shows a flow diagram of a method 20 for distributed computation of an RSA inverse value 
3; in an asynchronous network, from at least two input values x, e among n-\ participating 
network devices A, B, C comprising t < n/4 faulty devices and a non-faulty leader device D. The 
25 participating network devices A, B, C, D hold share values (Paj(Pb,(Pc,(Pd of the Euler function 
(p{N) of an RSA modulus A^. In an initialization process 10, the two input values jc, the RSA 
modulus TV, and the share values are acquainted, as indicated in boxes 2 and 3, respectively. 
Each participating network device, with P = A, B, C, D, performs the following steps referenced 
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with Roman numbers. At first, a first random value q and a second random value r are chosen, as 
indicated by box L Then, in a sharing step, the first random value q, the second random value r, 
and the zero value 0 are shared over integers Z, as indicated with box 11. 

The leader device D additionally receives a first, second, and third sub-share value qt, n, 0/ firom 
5 the at least / +1 participating network devices A, B, C, D and broadcasts the identities S of the 
participating network devices A, B, C, D, as indicated by the boxes Illi and Illii. 

hi a receiving step, the identities S and corresponding sub-share values q, 0/ are received as 
indicated with box IV. Then, a sum-share value F can be derived fi-om the share value q>p, the 
input value e, and the corresponding sub-share values qt, 0, defined by the identities 5, as 

10 indicated with box V. The sum-share value F is then broadcast, as indicated with box VI, 
whereby such a broadcast does not guarantee anything if the respective sender is faulty. Then, 2t 
+ 1 sum-share values F/ are received, as indicated with box VII. A polynomial / is derived, as 
indicated with box VIII, which interpolates the sum-share values Fi and an exponent share value 
dp dependent on the polynomial/ and an inverse-share veiuQ yp dependent on the exponent share 

15 value dp and the RSA modulus K The inverse-share value yp is then broadcast, as indicated with 
box DC, and t + 1 inverse-share value yi are received as indicated with box X, Finally, the RSA 
inverse value can be obtained fi-om the received inverse-share value j;,, as indicated with box XI. 

Fig. 3 shows a flow diagram of a complete protocol 30 for distributed computation of an RSA 
20 inverse value y with steps for each participating network device to be executed when t + I 
participating network devices act as a leader device. In this fiirther embodiment at least t + 1 
participating network devices A, B, C, D act as the leader device while performing t+l times the 
above-mentioned steps of the method 20. Then, with reference to Fig 3, each participating 
network device A, B, C, D performs in the event of obtaining or receiving one RSA inverse value 
25 ysi determination on the validity of the obtained RSA inverse value under use of the at least two 
input values x, e, as illustrated with box XII. 
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In the event of positive determination the RSA inverse value y is broadcast, as indicated with box 
XIII, and all further calculations are stopped, as indicated with box XTV. This allows a 
termination of the protocol. 

In order to facilitate the above-described steps some mathematical aspects are addressed in more 
5 detail below. 

Cryptographic assumptions 

An RSA modulus N is the product of two primes of equal length. A safe prime tc is a prime such 
that is prime. A safe RSA modulus is the product of two safe primes n and Q, which 
comprise the secret key. The RSA operation is to compute nf for given m and e. The RSA 
10 inversion operation is to compute an RSA inverse value such that 3;^ = x mod N for given x and 
e\ y is also called the RSA inverse of x and e. 

Given a secret key (p(N) = (tc - 1) (g - 1), RSA inversion is easily carried out by computing 
d-e'^ mod (p{N) and then raising x to the power d modulo N. The knowledge of (f{N) is 
equivalent to knowing the factorization of A^. In the following it is shown how to compute this in 
15 an asynchronous distributed network where (f^N) is shared among the participating network 
devices A, B, C, D, hereafter also referred to as parties or Pi, P2, Pn, or each as party or P,, or 
Pi. 

Computing RSA Inverses with a Shared Secret Key 

A (/I, A:)-sharing of a secret ^ is an encoding of s into a set of shares (Pa,(Pb, (pc, such that any 
20 set of at least k shares uniquely defines <p and any set of less than k shares does not give 
information about (p. Associated with a sharing is an efficient reconstruction algorithm that 
reconstructs n from any set of k shares. 



CH920020056US1 



It is assumed that TV is an RSA modulxis. Suppose the participating network devices A, B, C, D, 
hold the shares of a («, ^)-sharing, as described in the previous paragraph, of the corresponding 
RSA secret key (f(N). The method 20 is hereafter also referred to as preliminary protocol 20, as 
there are messages sent forth and back between the parties. More precisely, the preliminary 
5 protocol 20 is an RSA inversion protocol with non-faulty leader device. The preliminary protocol 
20 for RSA inversion of x and e, for some e > n, is started with input values e, JV, x, (pp. One party 
teraiinates the protocol by generating an output value All non-faulty parties should be activated 
like this and all should output j; such that 3;^ s x (mod JV). 

The preliminary protocol 20 for RSA inversion over iV with a shared secret key (f{N) as described 
1 0 above satisfies the following conditions for any adversary and up to t faulty parties: 

Termination: If all honest parties start the protocol all messages are delivered, then all honest 
parties eventually terminate the protocol. 

Correctness: If an honest party terminates the protocol and outputs y, then =x (mod AO except 
with negligible probability. 

1 5 Privacy: The adversary gains no useful information about (p{N). 

Weak Asynchronous Verifiable Secret Sharing 

In weak asynchronous verifiable secret sharing, the agreement property of standard asynchronous 
verifiable secret sharing (AVSS) is relaxed as follows. When the dealer is faulty, some honest 
parties may terminate a weak AVSS protocol and others may not, but those who terminate hold 

20 consistent shares and are guaranteed that there are enough honest parties holding shares in order 
to reconstruct the secret. In contrast, AVSS guarantees that either all honest parties terminate the 
protocol successfiiUy or none, which ensures agreement on the success of the sharing. This 
difference is analogous to the difference between consistent broadcast and reliable broadcast in 
asynchronous networks. An AVSS protocol is provided in the International Publication WO 

25 02/087145 Al, entitled "Method of verifiably sharing a secret in potentially asynchronous 
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networks", presently assigned to the assignee of the instant application and the disclosure of 
which is incorporated herein by reference. 

The AVSS protocol is used many times as sub-protocol within the herein described RSA 
inversion protocol. 

5 Dual-threshold sharings are considered in this paragraph, which generalize the standard notion of 
secret sharing by allowing the reconstruction threshold to exceed the number of corrupted parties 
by more than one. In an (w, k, t) dual-threshold sharing, there are n parties holding shares of a 
secret, of which up to t may be corrupted by an adversary, and any group of k or more honest 
parties may reconstruct the secret {n - t>k> t). Such dual-threshold sharings are useful for 
1 0 distributed computation and agreement problems. 

Secret Sharing over the Integers Z 

Polynomial secret sharing is usually done in a finite field, but it works also over Z, provided that 
extra randomization is added. This is a well-known technique developed in the context of 
threshold RSA. Let L = «!. To share a secret s s [0, M - 1] over Z with security parameter K, 
15 choose k'\ random values Fi, FkA in [-KL^M, KL^M] and let/(2) =1(^5 + 2^/ F/z'). Denote 
the coefficients of the sharing polynomial /by fo, fi,..., fkA\ they are divisible by L and their 
absolute value is bounded by KDM. 

hi the preliminary protocol 20, the shared secret is the first random value q with /: = f + 1 and M 
= AT and the second random value r with A: = f + 1 and M = N\ and the zero value 0 with k 
20 =2^+ 1 andM = K^L^N\ 

The share of P, is /(/) for / = computed in Z. It is easy to see that these values form a (n, 

ky sharing because Ls = S/es Af/(z) for any 5c {!,...,«} of cardinality k, whereAf = Hjes^u) 
are the Lagrange interpolation coefficients for S and position 0. This can be computed in Z 
because every n;e5\{/}(/ -j) divides /! (n - /)!, which divides n\=L, 
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Protocol for Weak A VSS over the Integers Z 

A protocol for weak AVSS comprises a secret sharing method with verification over the integers 
to achieve robustness based on the strong RSA assumption in Z^, 

Let be a security parameter, N a safe RSA modulus, g and h two random squares in Z^n and s 
5 e [0, M - 1] the secret to share. 

The dealer of the weak AVSS protocol first computes (n, k , /)-sharings of s and of a random 5o € 
Zm over the integers, defining two sharing polynomials / and f\ respectively. It also computes 
verification values Cj - g^l/j modN for j = 0, A:- 1, where and/; denote the coefficients off 
and/'. 

10 The communication follows the approach of "echo broadcast", also referred to as "consistent 
broadcast", with a non-interactive («, m, /) threshold signature scheme for m = max{A:,-^^^}. 
Recall that such a signature scheme tolerates up to t corrupted parties and requires m valid 
signature shares for assembling the threshold signature. First, the dealer sends a share of the 
secret to all parties and every party answers with a threshold signature share if the share is valid. 

15 Then, upon receiving m threshold signature shares, the dealer computes the threshold signature 
and sends it to all parties. Finally, a party accepts the sharing when it has a valid share and ^ 
receives a valid threshold signature. 

The protocol for weak AVSS allows to share multiple secrets s, s\.,, in parallel with the same 
dealer in sharings with reconstruction tiiresholds k, K^... . All properties are satisfied if the 
20 reconstruction threshold m of the threshold signature scheme is set to m = max {k, ...r^}. 
This not only decreases message and computation complexities compared to separate executions 
of the sharing protocol, but ensures also that every honest party holding a share of s holds also a 
share of 5', 

The RSA Inversion Protocol with non-faulty Leader 
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The preliminary protocol 20 is contemplated to work with a correct leader. It tolerates crashes and 
a passive adversary. That is, all parties apart from the leader may crash and collude to gain 
knowledge about the secret, but otherwise they follow the protocol. The preliminary protocol 20 
uses the approach of the synchronous protocol for computing modular inverses by Catalano et al., 
5 to obtain a sharing of d = e '^ mod q>{N), Given the shared d, the result y = xf^ mod N can be 
reconstructed. 

The preliminary protocol 20 is hereafter described more mathematically. The input of every 
includes e, N, x, and, ^ where ^ is P's share of 0 = q^N) in a (w, t+l, /)-sharing over Zat, using a 
polynomial 5(z) = L(L(ff + S^i ajzJ) for aj [-fO/N, lO/N]. LetN^^^ mdK> e>n. 

10 The parties first compute a A^-random (w, /+1, ^-sharing of a random Qoe[0,KN-\], an 
analogous sharing of a random Roe[0,K^N^ - I], and a K-vandom (n, 2r+l, ^-sharing of 
0 6 [O.K'^L^N^ - 1], These sharings are executed in parallel as nientioned above in the protocol to 
share multiple secrets and define integer polynomials Q(z) and R(z) of degree t and H(z) of degree 
2t. The shares of are Q(i), R(i), and H(i). 

15 Next, the parties obtain a sharing of F(0) for F(z) = 5(z)g(z) + eR(z) + i/(z) by local 
multiplication and addition of shares only, and collaboratively reconstructF(0) = L'^^go -\-L^eRo. 
Every party applies the extended Euclidean algorithm to compute locally a and b such that aF(0) 
+ be=l, which works if gcd(F(0), = 1. Then, d = aL^Ro + bis the inverse of e modulo ^, as is 
easy to verify. However, d is not reconstructed since this would reveal ^ and the factorization of 

20 N. histead, Pi computes a share of d as di = aL^R(i) + b using its share of Ro; then it reveals 
yi = x^^ . From ^ + 1 such yt, the result y^x^ (mod N) can be recovered. 

So far the description parallels the work of Catalano et. al., but the difference is in the 
computation of the sharings. Q(z) is the sum of up to n sharing polynomials Qi(z) with dealer Pi . 
The problem that arises is that all parties should arrive at the same Q(z). ]n the synchronous 
25 model with broadcast, agreement on faulty parties Pj who did not properly share a polynomial is 
immediately available. In the asynchronous system, this is not the case, so a single party is used, 
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the leader, to choose a set S of parties whose sharings should be cx)mbined; this works because of 
the assumption that the leader is correct. Thus, Q(z) is set to l^i^s Qi{zX and R(z) and H(z) are 
computed in the same way. 

The RSA Inversion Protocol 

5 This section relates to the complete protocol 30 for distributed computation of an RSA inverse 
value also referred to as complete protocol 30, which is also robust, i.e., tolerates Byzantine 
faults. The complete protocol 30 comprises the preliminary protocol 20 for RSA inversion with 
non-faulty leader device. 

The preliminary protocol 20 is designed to be robust, still under the assumption that Pi is honest. 
10 The AVSS sub-protocol yields a conmiitment vector C to its sharing polynomial. Let Cs denote 
such a commitment to the polynomial used to share ^, corresponding to tiie share 5, of P/, and 
assume Cs is made available initially to every party. Let Cqj, Cpj and Chj for ye [1, n] denote the 
commitments resulting from the weak AVSS sub-protocols invoked by the preliminary protocol 
20. 

15 The weak AVSS sub-protocol is already robust and the message may remain unchanged. 
However, additional steps are used in the inversion protocol to prevent honest parties receiving 
sum-share value F and inverse-share value yp witii incorrect data. Since these are point-to-point 
messages, the standard two-party techniques for proving statements about relations modulo a 
composite N are sufficient; this works under the strong RSA assumption. 

20 • For the message comprising the sum-share value F, the sender P carries out a 
zero-knowledge proof of knowledge with every receiver that F has been computed correctly 
with respect to G, C^, Q,, and Chj for j € 5. The receiver receives the message only if the 
proof is correct. 



25 



• For the message comprising inverse-share value yp, the sender P carries out a zero-knowledge 
proof of knowledge with every receiver ihdiXyp has been computed correctly with respect to a, 
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by and Cr^ for j s S (the receiver uses its own values a and b computed upon receiving 
messages). The receiver accepts the message only if the proof is correct. 

It remains to show how to cope with a corrupted leader Pi. For tiiat, the preliminary protocol 20 is 
run r+1 times in parallel with different leaders, which guarantees that at least one leader is honest 
5 and the corresponding protocol terminates. As soon as a party terminates the first parallel 
protocol instance with the correct result, it sends the result to all other parties, aborts the 
remaining instances, and halts. Every party who receives the correct result like this also aborts all 
inversion protocols. Note that every party may verify that a claimed result y is correct by checking 
that3;^=x(modA0. 

10 This works because the RSA inversion operation is deterministic and the result is self-verifiable; 
thus, all protocol copies output the same result for all parties and every party can check locally 
that the output is correct if they receive the result from another party. 

Application: Threshold RSA Signatures 

Standard RSA signatures can be proved secure only in the random oracle model. Random oracles 
15 are a heuristic tool to analyze the security of cryptographic primitives by pretending that a hash 
function is implemented by a distributed oracle, which answers with a random value for every 
distinct point on which it is queried. They are used because the cryptographic systems in this 
model are typically more efficient than the corresponding systems in the standard model, where 
proofs must be based only on intractability assumptions. 

20 Two related RSA signature schemes that avoid the random oracle model have been proposed 
recently. One was presented by R. Gennaro, S. Halevi, and T. Rabin in their article "Secure 
hash-and-sign signatures without the random oracle," in Advances in Cryptology: EUROCRYPT 
'99 (J. Stem, ed.), vol. 1592 of Lecture Notes in Computer Science^ Springer, 1999, and the 
second one by R. Cramer and V. Shoup presented in the article "Signature schemes based on the 

25 strong RSA problem," ACM Transactions on Information and System Security, vol. 3, no. 3, 
pp. 161-185, 2000. 
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Both rely on the "strong RSA assumption" and involve the RSA-inversion of an element x with a 
fresh e for every signature. These schemes can be implemented in a distributed system using 
threshold cryptography by sharing ip(N) and carrying out a distributed RSA inversion protocol, as 
shown by Catalano et al. for synchronous systems. 

5 In both schemes, the public key contains the safe RSA modulus N, and the signature generation 
comprises the computation of an RSA inverse of a value x and a value e that are derived from the 
public key, from the message to be signed, and from random choice. Using the complete protocol 
30, the first efficient implementations of RSA threshold signatures in asynchronous networks 
works as follows. 

10 Suppose there is a distinguished party Ps who serves as a gateway for signature requests from 
clients and starts the instance of the distributed signature protocol. Party Ps is assumed to be 
honest and not to crash. Given the message, both signature schemes are deterministic apart from 
the initial choice of one random value, and the only distributed computation is the RSA inversion. 

Thus, a possible protocol for asynchronous RSA threshold signatures proceeds as follows. First, 
15 the parties compute a random value using the standard approach: Every party shares a random 
secret using AVSS, the distinguished party Ps announces a subset 5 of r + 1 parties whose 
sharings have terminated successfiiUy, all parties together reconstruct the secrets indicated by 5, 
and every party adds the reconstructed secrets. The result is the desired random value, which is 
needed in both signature schemes. Second, the parties carry out the complete protocol 30 for RSA 
20 inversion. Finally, every party computes the signature and outputs it. 

In absence of an honest Ps, the sketched protocol is run ^ + 1 times in parallel; this may result in 
up to ^ + 1 different signatures on the same message, which is unlikely to cause problems in most 
applications. 

Application: Verifiable Random Functions and Byzantine Agreement 
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A verifiable random function (VRF) is a pseudo-random function that provides a non-inter- 
actively verifiable proof for the correctness of its output. A pseudo-random function fs with a 
secret seed s maps x'-bit strings to X-bit strings; its output is computationally indistinguishable 
from a random function for any polynomial-time observer. S, Micali, M. Rabin, and S. Vadhan in 
5 "Verifiable random functions," in Proc, 40th IEEE Symposium on Foundations of Computer 
Science (FOCS)^ 1999, formalized the notion of a verifiable random fimction: given an input and 
knowledge of the seed s allows to compute v together with a unique verification value or '*proof' . 
This proof convinces every verifier of the fact that v with respect to the given public key of the 
VRP. A difficulty is that the proof should not reveal anything about fs on inputs different from x. 

10 A VRF construction is based on the unpredictability of the RSA inversion operation, but the 
construction is too complex to describe here. In order to obtain a threshold verifiable random 
function in asynchronous networks, only the RSA inversion step should be distributed; all other 
operations are deterministic, given the public key and the shared initialization data of the scheme. 

15 The complete protocol 30 for RSA inversion yields the first threshold VRF based on RSA, the 
strong RSA assxmiption, to be precise, which is also efficient, i.e., not based on generic 
multi-party computation methods. The VRF construction executes a sequence of RSA inversions; 
the asynchronous distributed implementation succeeds without using a Byzantine agreement 
primitive since every inversion operation is self-verifiable, as is the final VRF output. 

20 An interesting appHcation of this threshold VRF is to implement asynchronous Byzantine 
agreement by using the VRF as a common coin sub-protocol. Thus, the inversion protocol yields 
also an efficient cryptographic asynchronous Byzantine agreement protocol under the strong RSA 
assumption, and without random oracles. 

Asynchronous Byzantine agreement protocols rely on randomization, which can be implemented 
25 by the mentioned common coin protocols. In modem cryptography, such a common coin is 
known as an unpredictable threshold pseudo-random function. So far, all efficient 
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implementations of this primitive have relied on the random oracle model or on synchronous 
networks and broadcast channels. 

Any disclosed embodiment may be combined with one or several of the other embodiments 
shown and/or described. This is also possible for one or more features of the embodiments. 

5 The present invention can be realized in hardware, software, or a combination of hardware and 
software. Any kind of computer system - or other apparatus adapted for carrying out the method 
described herein - is suited. A typical combination of hardware and software could be a general 
purpose computer system with a computer program that, when being loaded and executed, 
controls the computer system such that it carries out the methods described herein. The present 
10 invention can also be embedded in a computer program product, which comprises all the features 
enabling the implementation of the methods described herein, and which - when loaded in a 
computer system - is able to carry out these methods. 

Computer program means or computer program in the present context mean any expression, in 
any language, code or notation, of a set of instructions intended to cause a system having an 
15 information processing capability to perform a particular fimction either directly or after either or 
both of the following a) conversion to another language, code or notation; b) reproduction in a 
different material form. 
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